Security Policy Actions
Focus
Focus

Security Policy Actions

Table of Contents

Security Policy Actions

For traffic that matches the attributes defined in a security policy, you can apply the following actions:
Action
Description
Allow (default)
Allows the traffic.
Deny
Blocks traffic and enforces the default Deny Action defined for the application that is being denied. To view the deny action defined by default for an application, view the application details in ObjectsApplications or check the application details in Applipedia.
Drop
Silently drops the traffic; for an application, it overrides the default deny action. A TCP reset is not sent to the host/application.
For Layer 3 interfaces, to optionally send an ICMP unreachable response to the client, set Action: Drop and enable the Send ICMP Unreachable check box. When enabled, the firewall sends the ICMP code for communication with the destination is administratively prohibited—ICMPv4: Type 3, Code 13; ICMPv6: Type 1, Code 1.
Reset client
Sends a TCP reset to the client-side device.
Reset server
Sends a TCP reset to the server-side device.
Reset both
Sends a TCP reset to both the client-side and server-side devices.
A reset is sent only after a session is formed. If the session is blocked before a 3-way handshake is completed, the firewall will not send the reset.
For a TCP session with a reset action, the firewall does not send an ICMP Unreachable response.
For a UDP session with a drop or reset action, if the ICMP Unreachable check box is selected, the firewall sends an ICMP message to the client.